Main navigation

What to do when a secure connection fails

Recently, I’ve had a spate of secure web connections (using HTTPS) which have failed. I’ve entered, pasted or linked to what should be a secure website, only to see Safari complaining that something is wrong.

In this case, the certificate expired the previous day. It’s very tempting just to click on the link to visit the website, but you should never do that. Pause for a few moments to make a careful decision, rather than rushing ahead.

What makes secure websites different is that your browser connects to them using more secure HTTPS protocols with encryption. This should make them better-trusted, so you can have reasonable confidence that downloading software from them won’t deliver malware, and that you can provide sensitive information such as passwords, and exchange data such as bank account details securely.

Before any of that can happen, the server has to establish a basis of trust, which relies on its security certificate. So in the opening stages of making the connection, your browser checks the server’s certificate.

Lots of things can be amiss. In this case, the security certificate had expired the day before. In another failed connection, the certificate was for a slightly different web address, not the one for which it was being used. The moment that you see this report in your browser, you should stop clicking on things automatically, and start paying very close attention. If you can’t do that just now, the safest thing to do is back off and leave it until you can.

Malicious websites and malware are almost invariably designed to exploit human weaknesses. It’s all too easy to think that it’s fine to download an update from a site whose certificate only expired yesterday, and that might be exactly what an attacker wants. Their job is to lure you to them with all your defences down – and many of them are very skilled at doing just that.

As this warning points out, it’s quite possible that certificate is still valid, and that your Mac just thinks the date is later than it really is. With most system clocks set against internet time servers, that is now quite unusual, but worth a quick check.

More important is checking that the web address is absolutely correct. The warning here tells you the address that your browser is trying to connect to. Are you sure that it shouldn’t be something slightly different? Are all the characters normal and regular, or might some of them be Unicode spoofs? Is the end of the address really .com, or should it be .co or something different? If you have any doubts, back off and get the address right before going any further.

When you’re confident that the site is absolutely correct, you next have to think about risk. If you’re just going to view that site to find something out, and don’t intend downloading anything, that doesn’t make it safe. If the site is malicious, it could still trick you into doing something that you’ll regret – every link should be treated as potentially dangerous. It’s still best not to go there, but if you really need that information now, you might be able to proceed with great caution.

If you were going there with the intention of downloading software or an update, just don’t. You may have an anti-virus scanner active, but that will only detect the malware that it already knows about. If this site is just about to serve you the latest and as-yet unreported Trojan for your Mac, you probably won’t receive any warning. Neither will the security tools built into macOS, such as XProtect and MRT, protect you. Chances are that any malware will be signed using a valid developer certificate, so will pass Gatekeeper’s checks, at least until it has been detected and that signature revoked by Apple.

When it comes to malware, you really don’t want to be an early adopter.

There are some things that you can think about doing. You can always click on the link to view the security certificate, although that won’t normally help you make a decision. In this case, it shows what appears to have been a valid certificate, which did expire on the previous day. You might recognise that the certificate traces back to a Root Certificate which looks suspicious, but for most users viewing the certificate isn’t likely to contribute a great deal.

If you’re just after information, you may be able to get that from the plain HTTP site. This might seem to be heading in the wrong direction, but your browser should alert you to any potential disclosure made over an insecure connection, which it would let pass when the connection is secure. In one case, I wanted to view a page on a blog for which I had a secure address which failed; entering the plain HTTP version of the site worked fine, and proved genuine.

But if you’re looking for an update or download, none of these is going to get you very far without putting your Mac at significant risk. The best thing is to email the site’s support address and inform them of the problem. Wait until they get back to you before doing anything further. But don’t enter the website to complete a contact form there: if you can’t use a regular email address, try addressing a tweet to them, perhaps.

Whatever you do, never get pressured in compromising your Mac’s security. That is one of the human weaknesses that attackers use most successfully of all: our lack of patience.